Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 10 replies
  • Subscribers 42 subscribers
  • Views 5434 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web Exceptions Not Working

NateP

We have 40+ XGs for our clients in MS Azure and now one of them wants to block most web activities, except for a handful of sites they use (slack, gitlab, google, and a bunch of others).  The problem is that Exceptions don't seem to work.  I have tried regex and just the simple domain names, no luck.

  1. Created a Policy
  2. Added a bunch of categories and stuff to it, with a default allow at the bottom.
  3. Created Exceptions, adding all the sites they wanted to use.
  4. Used Policy Test as well as created an actual Rule and all the sites are still blocked on the test machine.

What gives?  This firewall OS surprises me more and more every day.



This thread was automatically locked due to age.
Parents
  • 0

    NateP,

    make sure to check the scan http inside the firewall rule.

    Also on the web profile, you did select block only for http and not to https (locker icon).

    If you run the policy test, what it the result?

    Thanks

  • 0 in reply to lferrara

    lferrara said:
    make sure to check the scan http inside the firewall rule.

    Thanks.  I was not aware of the HTTP vs HTTPS option in the policies.  I will give that a shot.  I also was trying to be careful of the scanning options in the rule during testing, since this is a live firewall.  We first turned this on in January (without the exceptions) and it put a ton of extra load the firewall to the point that VPNs were dropping.

  • 0 in reply to NateP

    Still no dice.  Tried policy test with HTTP and also HTTPS in the URL.

    In the exceptions I have just slack.com and also a regex of ^([A-Za-z0-9.-]*\.)?slack\.com

  • 0 in reply to NateP

    Hi NateP,

    Thanks for the screenshots.  I tested this on my side and it worked fine.  Is your slack exclusion in the same A Exceptions as your previous screenshots?  I suspect that the exception is not hitting.  Make sure that the exclusion is skipping policy checks and is turned on.

  • 0 in reply to MEric

    Hi  

    Yes, it's in the same list of exclusions, it was just truncated in the # more... list

     

     

    I just can grasp why it's not hitting.  Shouldn't exclusions be global across all policies?  It's hard to say, so far there are several things in the XG that don't make sense logically.  I'm just confused and under pressure from the client's info-sec team to get web access blocked, but didn't want to block everything and then whitelist from there.

  • 0 in reply to NateP

    ^([A-Za-z0-9.-]*\.)?slack\.com\.?/

     

    Shouldn't you have a \.?/ after the com

     

    Also do you have anyother rules that may be higher on the list blocking this?  Country Blocking?

    Respectfully, 

     

    Badrobot

     

Reply Children
No Data
Unfiltered HTML